Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.

You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.

I'm giddy today. So I created a new challenge. I posted it over to Slashdot too. (Slightly reworded for DC vs there.)

I've wondered for a long time now about encryption. I think it's time to use "out of the box" approaches to encryption.

I'm certainly not in that Elite-IQ crowd but given the very nature of how the sender has a colossal advantage over the breaker, I think I could create a message that no one but the elite genius at those agencies could break. I think no one at DC is good enough to get it, nor Anonymous. Mensa might have a chance, barely.

This is different from "certifying it unbreakable". I'm avoiding that trap. Just "Sufficiently hard".

Any takers? It might even be fun if someone has Academic connections. My overall concept is so good I think I could stump almost all of the Non-Gov Professors too.

Anyone interested, reply here. I'll reply with a watered down "easy version" just to be sure someone's not trolling me. (Also it forms a weak version of a test.) On the (slim?) chance that someone gets it, I'll produce a couple of the real corkers. I'd stake up to $100 of my own money through a certified neutral holder. Not that it's "worth that little", just saying I'm not trolling, this concept is so good nobody but the absolute best will figure it out. It's a new METHOD of encryption, so it's probably even NP-Hard (I'm probably using that term wrong) as a class so that "almost unlimited" examples can be created.

On a personal level you have picked my interest (in wanting to know how your scheme works, not breaking it).

On a professional level it is likely not that interesting as any method other than the default ones are very hard to sell to (mediocre) management that just want to buy some extra protection for their site/LAN/whatever.

Like Shades, I'd be interested in learning about the methodology. But I lack the time and interest to actually want to try cracking anything. Not that I'd be "leet" enough at cracking to pull it off even if I wanted to.

That's why I only pay attention to so-called "open" encryption algorithms. They constantly have a few hundred very smart and qualified eyes on them. So any exploitable holes or weaknesses (either from intrinsic factors or introduced by advances in cracking technology) usually get identified and fixed quite quickly. With the result that open encryption tools are 'known' and often more secure than methods that depend on obscurity for part of their security.

Good luck with your new methodology however. Anything that can make our data more secure is ok by me.

In fact, I got a reply from a privacy-security web site firm in New York. Heh I also sent it off to a personal contact.

This is my "easy example". I put the extra provocative language that "if the best people in the biz can't bust this in 2-3 days, and this is the purposely weakened example with lots of extra hints, then my larger point that there are lots of concepts left for cryptography stands".

EDIT: I did explain below. But if my initial post stumped you, that was the entire point - innovative cryptography means that the method is unclear. I purposely said it's not "inifinitely secure", there are edge cases. But I believe there is a big "Good Enough" realm for many uses.

-----

(repaste of other text)

Rather than explain, I shall give an example! (Isn't that the point of encryption - half the sauce is in the method!)

Do you like Chinese Food? The correct message is 2 letters long. And I shouldn't even tell you that but I'm being nice. : ) And I didn't even use any of my nasty tricks. So this should be nice and relaxing, you know, over breakfast or lunch, with some nice buttered toast.

1010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010^7101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010110101010101010101010^4(Lots of Extra Line Breaks in there, to get it to fit in the forum)So that should be a nice pleasant warmup to our discussion! To make it even easier, here are some hints!

- I hand coded that one, so there may be a mistake, but formalized, the concept means that we currently rely on "perfect messages" as output, which is a flaw. Once my method above is known, it should be a trivial fix for any competent staffer. In the theory of cryptography, we rely too much on "perfect translations", so that when designing new theory, we should make the recipient "work a little" to prove the message. To make this obvious, an "x" in a random spot can't possibly (NORMALLY!) be part of the message, but it's enough to slow down the crackers.

- For the same reason that AI's struggle, put a "human factor" into codes. Let's suppose I made a mistake in my hand coding. A "human analyst would look for nearby cases". (This can be later automated.)

- At the brutally obvious level, all that junk can't be 1-1, to produce a 2 letter answer, so clearly something else is going on. But what?

Heh -

I appreciate your interest, and I hope my "easy version with hints" is enough to spark your interest. To joke, I gave so many hints that if your best cracker can't do it in two days after purposely weakening it as much as amuses me, my point is made about my bigger concept, which is that tons of ideas have not yet made it to Professional Cryptography.

To distract the living hell out of you, (essential part of any good crypto message) I'll mention Kurt Godel, and ask you how many characters there are in this email!

Like Shades, I'd be interested in learning about the methodology. But I lack the time and interest to actually want to try cracking anything. Not that I'd be "leet" enough at cracking to pull it off even if I wanted to.

That's why I only pay attention to so-called "open" encryption algorithms. They constantly have a few hundred very smart and qualified eyes on them. So any exploitable holes or weaknesses (either from intrinsic factors or introduced by advances in cracking technology) usually get identified and fixed quite quickly. With the result that open encryption tools are 'known' and often more secure than methods that depend on obscurity for part of their security.

Good luck with your new methodology however. Anything that can make our data more secure is ok by me.

You have a point about "open" schemes, but somewhere in the mix I believe the Obscurity Factor is under-rated. If you cannot tell even what algorithm to use, then you as the Interested Enemy are slowed down that much more.

It also relates to my theory of "Good Enough". I carefully ruled out absolute results. Then if "you yourself" are not interested enough to crack the code and have to "delegate it off", then the method stands. So maybe "Alexander Fegorov in Russia" knows how to break it, if 1000 US generals don't have access to him, the method stands for the first 100 messages. Then we just switch methods anyway.

And I have over 30 individual element techniques on tap anyway, so that's the power of obfuscation. Half your problem is even figuring out what the blazes I am doing.

On a personal level you have picked my interest (in wanting to know how your scheme works, not breaking it).

On a professional level it is likely not that interesting as any method other than the default ones are very hard to sell to (mediocre) management that just want to buy some extra protection for their site/LAN/whatever.

All of my ideas can be automated to be "purchased as additional security". I am just staying Low Level Old School to demonstrate that there is room for innovation that I have not seen covered in the articles.

1. Go to http://upsideout.com/1a. Download graphic for Proxy.org1b. Change File Extension from .gif to Null by deleting the file extension altogether.1c. Open the Null file in MS Wordpad.1d. Review open file - lots of junk characters - but here is the magic!

2. Examine the coded message. The 10's are meant to be a Trojan Horse for Binary guesses, but they are actually cumulative batches of 10.2a. Add up the Batches of 10. The code letters are counted as # of characters from the top of the document. And this is the simple case!2b. ^ is a deliberate re-use of a symbol, not to be the exponent of anything, but to mean "Approximately this many characters in". I have yet to formalize whether a character count is before or after the character, etc. Also, this covers for human errors. If I say "Approx 6 char in" and the first 8 are total junk and char 9 works, that's part of the theme, though that gets better with software.2c. Once a character is located, the count starts back at zero. This should work for about any two uses of a letter here and there, because it sorta approximates 3-4 digit numbers per letter, so even if they get a stray L, that can't be that great of a help.

3. Take the next section of code from the beginning again. (In this variant! This was meant to be easy! Relative Counting via software is even better!)3a. Count out the next batch of 10. Include the possibility that the author miscounted the batches! These are junk boxes, so if you come up way short, call me a moron, add an extra batch, then try again. Formalized again, this kind of thing will beat the Cracker programs because it's outside the algorithm (currently!).3b. Find the second letter of the code.

4. Assemble the message.4a. I only did two letters with a purposely easy method. I have almost 30 methods on tap. For example, relative counting, "destructive boxes" which change the letter countings of the data, I don't even have to use a single file, Unknown file locations, unknown data formats produce their own file-junk in Notepad, Trojan Horse Messages that are incorrect seemingly duplicate solutions, and more.

5. Publish the results. The Alpha test went to Justin Schlecter of UpsideOut.com and UpsideOut, Inc., DonationCoder.com, and an extra contact of my own. Method: If a both weakened and partially explained test example cannot be cracked in a trivial amount of time, then hardened versions combined with all the other methods should be a new set of security concepts.

6. Ideas: The power comes from blending multi-disciplinary ideas.

6a. Steganography is the art of including data that is at best meaningless, and even worse, misleads the cracker into a blind alley as a false hint.6b. Multiplicity (as I term it) is the idea that it's not just a simple-but-tough algorothm; instead the cracker initially doesn't even know all of the techniques to use. So enemy time will be wasted trying to figure out even what methods to use, in what order.6c. Obfuscation. Any of my internal results can be "wrapped" in a standard Crypto layer, so that even if a chunk of time and comps are used to break the outer layer, the message is still a mess. When modern cracking programs look for a pattern and the "correct answer at that level" is stillwergefrhrthjrewfgtrjreTGartheWHearygerHYareh, they might have trouble recognizing it as a valid key break. More research is needed here. Even if they do, the next step still takes a secondary algorithm, which could be "anything" as far as they know.6d. Innovation - I believe there are tons of materials made possible by the Computer Revolution which will contribute to Cryptographic theory, but are not currently being harnessed. I have used a few of them in my sample.6e. Left Field Thinking - My term for a new style of Cryptography. A quick glance over current literature on Cryptography seems to revolve on high end math. There is a lot of fertility left in low end PreProcessing and Post-Processing not covered by all this literature. Almost anything can be converted to cryptographic use, from spacial placement of desktop icons, to spaces in a document, to fonts used for punctuation per document per a chart. (Can you tell an Arial period from a Geneva period?)6f. Test Cases. I have sent off a couple of purposely weakened test cases. If even the weak test cases prove troublesome, then the advanced algorithms and methods must be even worse!

7. There IS a mistake!!!!! (Not intentional, but recovering from it is part of this memo). I think a lot of my "10's" became straight "0's" in the last half. So I think restoring them to 10's works. I might have lost count, the receiver might need to add a 10. But it's still distractions, which serves my point. ((Partially fixed for DC, but there are still a couple of extra characters!))

You have a point about "open" schemes, but somewhere in the mix I believe the Obscurity Factor is under-rated. If you cannot tell even what algorithm to use, then you as the Interested Enemy are slowed down that much more.

There is that argument. I've heard it made in other places. I can't comment on how correct it is because I have an amateur's understanding of cryptography and lack the amount of college level math (I only took 6 courses so I'm fairly ignorant) to be able to determine for myself how much it has bearing in a real-world situation. I will agree however that it seems like it should make things harder for a cracker.

The only problem with obscurity as a feature is the deployment of your methods are directly dependent on just how willing somebody is to trust you, the person who came up with them. Quis custodiet ipsos custodes? as the Romans so wisely observed.

In the case of encryption, I'm amazed how just how clever some people are with that sort of thing. But there's very few operating in "lone wolf" mode that I would trust with something like a client's data encryption. Because this is one of those areas where nobody can completely and unreservedly trust anybody. Especially a single individual. It's one of those places where we have "watchmen watching watchmen watching watchmen watching men you want watched."

So obscurity, while it may make life more complicated for a cracker, isn't part of the equation in most cryptographic discussions. Unless it is a documented obscuration method - at which point it loses 90% of it's effectiveness when it winds up on the list headed: other things to check for.

Either way, what you shared is (to me at least) quite interesting. I wish you luck with wherever you want to take what you're up to.

I don't mean to throw cold water on anyone but as creative as all of these homebrew encryption schemes are, and they come up every once in a while, there is very wide agreement among people who are very serious about cryptography and spend their whole life studying it, that these kinds of approaches are not the way to go.

I think the root of the problem is that you are designing encryption algorithms that would be hard for another person to sit down and figure out with a pen and paper -- but modern cryptanalysis is done using mathematical tools that look for deeper mathematical patterns.

Modern cryptography is much more focused on employing a few very well known mathematical non-invertible operations that have withstood decades of attempts to defeat. People don't use the algorithms simply because they "seem" tricky to figure out.

Again, I don't want to dampen your enthusiasm -- cryptography is wonderfully fun -- but just don't think you can make a truely secure encryption algorithm just by combining a bunch of obfuscation and random functions.

Come to think of it, is it not so that the software that implements the scheme as proposed by TaoPhoenix has to know which kind of scheme is has to work with code-wise?

Thus clearing up the whole obfuscation part for one who knows where to look/reverse-engineer? It sounds silly to me to have the software 'bruteforce' its way through the possible encryption techniques, as it would make using this software unbearable slow and very CPU/GPU resource hungry.

Come to think of it, is it not so that the software that implements the scheme as proposed by TaoPhoenix has to know which kind of scheme is has to work with code-wise?

Thus clearing up the whole obfuscation part for one who knows where to look/reverse-engineer? It sounds silly to me to have the software 'bruteforce' its way through the possible encryption techniques, as it would make using this software unbearable slow and very CPU/GPU resource hungry.

Thanks everyone for chiming in.

One part of this is Audience - it was always about my own data outbound to correspondents, with vague surveying the intrusion culture such as Gmail's new SuperAggregation, etc. Designing systems for other clients wasn't part of it all.

Above all it was about education - I knew I was on to something, and I wasn't all that far off. I'm happy to use implementation details by the Pros. I just knew my basic starting point was less "small-key alg" based, and more straddling the lines of One Time Pads and One Time Book Ciphers. Having seen the Statistical Frequency attacks and noticing the much higher (though not perfect!) entropy in program files forced open into Notepad, the notion occurred to me that such files would *approximate* One Time Pads, and mostly avoid the statistical attacks of ordinary Book Ciphers.

That Chinese paper closed the loop, essentially saying that my concept was close, but to perform those operations at the binary level on binary text data, rather than symbol-to-letter. So then theoretically all I'd need was a program that simply performed the binary book cipher encoding. So yes, even if the method is known, according to the paper, it should still be very difficult to extract the data with one-time-books.

So then to clarify, since by definition any cipher requires the recipient to have something secret, I was just leaning toward it being "secretly chosen books" rather than "secretly chosen short keys".

I was going to say something about being interested....then, after I saw you mentioned anonymous, I was really intrigued that the message in which you placed some binary code? you added ^7 and ^4, which is curiously the same two numbers (i believe) that show up in lulz.sec's xmas message from last year. (re: the first frame or two, the movin' numbas).....maybe i'm just crazy, but you could be a "semi-troll"

also, I think your attempts are merely crap. and I'm not IT, but after a few hours learning a bit about algorithmic applications to binary; and how that can compute towards a quadratic equation of sorts (you know, 32, 32, 32, 32), I really don't think you're pushing anything here.

and in regards to the sender, and receiver? did you get anywhere with private , public exponents ?

my spelling and terms might be wrong, AND maybe I should have looked through the whole thread. but,......that first post dude/ette, you sound like a certain someone from anti-sec. I hope you aren't since we're just here to have a good time right?

also, u crazed, dude? cuz, you cut and pasted most of your shit. Basically, imho, you could have said this: Hey! come and click this site! we have "trojans" but not really! and if you know anything about that silly little machine used in WWII, Hacking the Gibson, and how to look up Tempest, or even pixels, or even ways to close little tiny loops, and blah blah blah blah. basically, you need to reinvest yourself in a more wise decision, try this: take a few variables, make it 5, and apply primes to those five, let's call them a, b, c, d, e, and then, let's make a+b+c/82-3.21 and put the letter N (as an exponent), and then route it back to the original equation of a-b =b-a, then just pretend now, that 0 equals a circle, and that 1 equals a dot, then pixel that shit, then put it on a ray, right to left, right? and don't forget to add mole day, that computers are out of control (or doubled as they say every 18 months or so), and tell me, what you have here that any one of use couldn't do or find? and for 100 dollars, i think you should pay me. because this post I have here, makes no sense.///But, if you like imaginary numbers, html, and maybe you should stick to 128bit, because as everyone knows you cannot add another 32, because that's still off from 154 ......or something....

also, u crazed, dude? cuz, you cut and pasted most of your shit. Basically, imho, you could have said this: Hey! come and click this site! we have "trojans" but not really! and if you know anything about that silly little machine used in WWII, Hacking the Gibson, and how to look up Tempest, or even pixels, or even ways to close little tiny loops, and blah blah blah blah. basically, you need to reinvest yourself in a more wise decision, try this: take a few variables, make it 5, and apply primes to those five, let's call them a, b, c, d, e, and then, let's make a+b+c/82-3.21 and put the letter N (as an exponent), and then route it back to the original equation of a-b =b-a, then just pretend now, that 0 equals a circle, and that 1 equals a dot, then pixel that shit, then put it on a ray, right to left, right? and don't forget to add mole day, that computers are out of control (or doubled as they say every 18 months or so), and tell me, what you have here that any one of use couldn't do or find? and for 100 dollars, i think you should pay me. because this post I have here, makes no sense.///But, if you like imaginary numbers, html, and maybe you should stick to 128bit, because as everyone knows you cannot add another 32, because that's still off from 154 ......or something....

Well, it turns out that weekend I was a little crazed, but I'm not in any of the hacking groups, and anything about 7 and 4 that might be related is pure coincidence. Meanwhile in that same weekend I thought it would be fun to see a pro codebreaker bust up my feeble attempts, but apparently they don't work for free and if I'm not interesting enough they won't bother.

Meanwhile, I came to my senses since then, and it's 2012 not 1999, so no one thinks breaking amateur codes is fun. It's all about the money now.

As a self-proclaimed expert on classical (pen-and-paper) cryptography, I just had to reply to this thread. If you want to challenge people to crack your self-made cipher, then it is common practice to post the exact method of encryption and decryption. Explain in detail how the cipher works and give some examples. Then you can post a challenge ciphertext, encrypted with unknown key(s). Be advised though, many "innovative" methods of encipherment boil down to one or another method that already has been in use for centuries.

As a self-proclaimed expert on classical (pen-and-paper) cryptography, I just had to reply to this thread. If you want to challenge people to crack your self-made cipher, then it is common practice to post the exact method of encryption and decryption. Explain in detail how the cipher works and give some examples. Then you can post a challenge ciphertext, encrypted with unknown key(s). Be advised though, many "innovative" methods of encipherment boil down to one or another method that already has been in use for centuries.

Well, I am less giddy about this whole thing now after someone categorized for me what I had, plus I was enamored of the security by obscurity layer which I still think is slightly stronger than it looks because part of the concept was an explosive multiplicity of methods of encoding. "If you can't figure out what you're looking at, I win."

The gist I got boiled down to that few hobby decoders are good enough to break it with no incentive, but if one of the top dogs decided it was for National Security, then it wouldn't last all that long. So since you found my old thread, if you really want a whack at it, ask me point blank and I'll whip up an example in a couple of days. P.S. Include a PM request if you do so I don't lose your reply if it falls off the top 10 threads list.

Although IĀ“d love to have a go at it, I honestly donĀ“t have the time for it, especially when itĀ“s an obscure unknown method

I'm sorry, do I detect an irony machine?

Heh - nothing is secure forever, however I think I made my point : )

One more comment: put fancier, this whole thing started with a clash between "it can't be secure" (and it probably isn't) vs "Me, No, I don't have the energy to break it". So it gets into "just how far up the hacker chain DOES it take to break brand new codes?"

Although IĀ“d love to have a go at it, I honestly donĀ“t have the time for it, especially when itĀ“s an obscure unknown method

I'm sorry, do I detect an irony machine?

Heh - nothing is secure forever, however I think I made my point : )

One more comment: put fancier, this whole thing started with a clash between "it can't be secure" (and it probably isn't) vs "Me, No, I don't have the energy to break it". So it gets into "just how far up the hacker chain DOES it take to break brand new codes?"

I agree! Also, it depends on the reward for breaking it I guess. People generally are more willing to give a crack at a $100,000 challenge or something that contains information that has merit for them.